samba 3.0 pre21:joining domain with windows 2000

Matt Roberts mattro at
Fri Dec 13 08:45:01 GMT 2002


I am also seeing the problem in this thread (latest 3.0 alpha), but I am
running only the LDAP backend.  However, I see something that might help. 
Details below.  But first the setup:

>> I think the machine accounts will be stored in whatever passdb backend
>> is listed first.  sounds like you need it to be smbpasswd_nua unixsam.

I have only the LDAP backend listed, and no others, but the same symptoms.

>> do you see the new machine account in smbpasswd?

Yes.  I did a 'smbpasswd -am <machine_name>' before the join, and it
installed the appropriate LDAP attributes for the system in question. 
Then I did a join from the W2K SP3 client, and it said "Welcome to ...

>> use the admin users param

I joined the domain using one of the users in 'admin users'...

The logfile shows this when I try to logon at the W2K station (names
changed to not show development environment).  Please see my notes below
on what I think might be significant here:

[2002/12/13 01:55:07, 2] smbd/reply.c:reply_special(79)
  netbios connect: name1=SAMBA-DC         name2=WIN2K-PRO
[2002/12/13 01:55:07, 2] smbd/reply.c:reply_special(93)
  netbios connect: local=samba-DC remote=WIN2K-PRO
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
  ldapsam_search_one_user: searching for:[rid=501]
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_open_connection(262)
  ldap_open_connection: connection opened
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_connect_system(414)
  ldap_connect_system: succesful connection to the LDAP server
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
  ldapsam_search_one_user: searching
[2002/12/13 01:55:07, 2] auth/auth.c:check_ntlm_password(271)
  check_password:  Authentication for user [] -> [] FAILED with error
[2002/12/13 01:55:07, 2] smbd/server.c:exit_server(534)
  Closing connections

And my smb.conf looks like this:

    security = user
    workgroup = DOMAIN
    netbios name = SAMBA-DC
    encrypt passwords = Yes
    server string = Primary Fileserver (Linux 2.4/Samba %v)

    load printers = yes
    printing = LPRNG
    printcap name = /etc/printcap
    lpq cache time = 2

    lock directory = /var/lock/samba
    log file = /var/log/samba
    guest account = guest
    invalid users = root
    ; 'admin' is a posixGroup defined in the LDAP directory
    admin users = @admin
    browseable = yes
    browse list = yes
    name resolve order = wins lmhosts bcast

    passdb backend = ldapsam
    ldap admin dn = uid=Samba,ou=System,dc=example,dc=net
    ldap server =
    ldap ssl = off
    ldap port = 389
    ldap suffix = dc=example,dc=net
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Hosts
    ldap passwd sync = yes

    os level = 65
    domain logons = yes
    preferred master = yes
    domain master = yes
    local master = yes
    logon path =

And the machine account in question looks like this in the backend:

    dn: uid=WIN2K-PRO$, ou=Hosts, dc=example, dc=net
    objectClass: posixAccount
    objectClass: sambaAccount
    uidNumber: 1005
    gidNumber: 1007
    homeDirectory: /dev/null
    rid: 3010
    displayName: My Workstation (Win2k)
    cn: My Workstation (Win2k)
    uid: WIN2K-PRO$
    primaryGroupID: 3015
    acctFlags: [UW         ]
    pwdMustChange: 1041579955
    lmPassword: 676C362D1B62CE1B32C2D0BFEB16C147
    ntPassword: A7D319642F0D1B10B574C64CB4FB69FC
    pwdLastSet: 1039765555

I joined this domain with the same system yesterday with a 2.2.7 DC, and
it gave the following additional fields:

    logonTime: 0
    logoffTime: 2147483647
    kickoffTime: 2147483647
    pwdCanChange: 0

But even if I add those fields to LDAP entry for the Windows 2000 machine
in the the 3.0a system, I get the same result.

*However*, I was very interested to see this in the above log excerpt:

[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
  ldapsam_search_one_user: searching

That is always going to return an empty result set (right?), because none
of the entries have an empty uid.  I will study the source a little
closer, but I assume that has something to do with why I can't logon. 
Could the code that did that request also be causing the trouble you all
have been discussing?

Also, shouldn't the FLAGS be just 'W' instead of 'UW'.  I'll also play
with that to see what happens.

Might I contribute something more from my logfiles that would help you
find what is causing this?  If you want to see more of my LDAP tree,
please let me know.

Thank you,

More information about the samba-technical mailing list